SAP Enterprise Cloud Services (ECS) runs one of the world’s largest private clouds, managing over 200,000 virtual machines. Using a legacy SIEM, SAP ECS struggled to keep up with significant data growth while juggling high ingestion costs, manual threat detection workflows and limited MITRE ATT&CK coverage—restricting visibility and access to cyber threats. Using Anvilogic’s AI-powered threat detection engineering on the Databricks Data Intelligence Platform, SAP ECS automated translations, expanded its detection surface and reduced engineering time to speed responsiveness.
Overcoming the limits of legacy detection
For SAP ECS, security operations have to keep pace with the scale and complexity of its worldwide private cloud. Beyond protecting its own infrastructure, SAP ECS also has to ensure customers can access, review and trust the data generated in their environments. Rising demand for log transparency from customers and auditors means that threat detection must be accurate, timely and shareable in real-time without creating additional overhead or risk.
SAP ECS’s legacy threat detection approach, centered on traditional SIEM, has limited flexibility and slowed operational response. High ingestion costs meant that only a subset of security data could be analyzed in real-time, leaving large volumes of historically valuable data untouched. Manual threat detection engineering consumed analyst time, and tuning rules to reduce false positives was an ongoing drain on resources. Additionally, limited MITRE ATT&CK coverage and reporting made it difficult to measure progress, align with industry-standard frameworks and reduce SAP ECS’s attack surface.
As data volumes started tripling in recent years, the strain on infrastructure and processes intensified. SAP ECS required a scalable solution to process high-volume telemetry while providing internal teams and customers with the necessary visibility. Roland Costea, SAP's Chief Information Security Officer - Enterprise Cloud Services, explains, “Our goal was to upgrade threat detection without disrupting the security operations our customers depend on. We needed to bridge from our existing investments to a more flexible, AI-driven architecture that can handle the scale of our environment.”
These requirements drove SAP ECS to seek a solution that could integrate with its existing tools, scale with data growth and enable a faster, more automated threat detection lifecycle.
Integrating AI into the threat detection lifecycle
SAP ECS partnered with Anvilogic to deploy a phased, AI-driven modular approach to threat detection on the Databricks Data Intelligence Platform. In the first phase, Anvilogic’s SOC platform integrated directly with SAP ECS’s Splunk environment, accelerating rule development and tuning. This immediate lift improved MITRE ATT&CK coverage, providing analysts with faster, more actionable insights for identifying and addressing gaps and reducing blind spots on SAP ECS’s attack surface.
The second phase focused on building for scale by eliminating data silos and making previously “dark” data analyzable for threats. SAP ECS re-architected its data pipelines to selectively route high-volume telemetry into Databricks, using Anvilogic in bridge mode to preserve full security control while reducing ingestion costs. With this approach, the team can process more data without overwhelming its legacy SIEM, laying the groundwork for a Databricks-powered threat detection strategy.
In the final phase, SAP ECS fully migrated to a Databricks-native detection architecture. The environment’s decoupled storage and compute model delivered the flexibility and cost efficiency needed to handle future data growth. Analysts used Anvilogic’s AI-powered capabilities and Mosaic AI to automate SPL-to-SQL translation, generate modular detection logic enriched with MITRE metadata and recommend tuning changes based on historical patterns. The AI-driven workflows reduced manual effort, improved rule accuracy and enabled pre-deployment validation against organizational data in Databricks.
With this architecture in place, SAP ECS can unify security data, reduce its threat detection surface and apply AI consistently across detection and mitigation. “The combination of Anvilogic’s AI capabilities with Databricks’ scale has fundamentally changed our detection workflow,” says Roland. “We can process more data, cover more threats and respond faster, without the trade-offs we faced before.”
Embracing data growth as a security advantage
Since implementing Anvilogic and migrating to the Databricks Data Intelligence Platform, SAP ECS has achieved measurable improvements in efficiency and security across its operations. Detection engineering time has been reduced by 60-80%, freeing analysts to focus on higher-value investigative work. Rule creation and deployment now occur five to six times faster, accelerating SAP ECS’s ability to adapt to changing threats. By reducing the volume of data sent through its legacy SIEM, SAP ECS has also achieved significant cost savings without sacrificing visibility.
The move to a Databricks-native lakehouse architecture has provided a clear picture of threat detection coverage, with enhanced MITRE ATT&CK mapping and KPI tracking capabilities. This unobstructed visibility lets the security team pinpoint gaps and prioritize new detections based on threat relevance. Real-time log sharing now provides both internal teams and customers with immediate access to the security data needed for investigations and audits, thereby improving transparency and trust.
SAP ECS’s new capabilities have also directly impacted its ability to deliver timely, accurate security outcomes at scale. Roland says, “We’ve been able to strengthen our security posture while also making our operations more efficient. Being able to create, test and refine detections quickly — and share results in real time — has changed how we respond to threats.”
Moving forward, SAP ECS plans to extend its use of Databricks and Anvilogic beyond current threat detection operations. Roadmap initiatives include contextualized, real-time risk scoring for all virtual machines, fully AI-assisted threat detection workflows and cross-domain analytics that apply Databricks capabilities to areas beyond security.